Access Review Procedure
1. Purpose
Section titled “1. Purpose”Monthly access reviews execute SOC 2 controls CC6.1, CC6.2, and CC6.3. Each review confirms active users still require access, access levels are least-privilege, and stale accounts and orphaned tokens are removed.
2. Scope
Section titled “2. Scope”All 12 in-scope systems:
| System | What Is Reviewed |
|---|---|
| GitHub | Org members, outside collaborators, team membership, deploy keys |
| Google Workspace | User accounts, admin roles, OAuth app grants |
| Cloudflare | Account members and roles |
| CrowdStrike | Console users and sensor assignments |
| 1Password | Team members, vault access, service accounts |
| Doppler | Workplace members, project access, service tokens |
| GCP IAM | IAM role bindings (Cloud Run, Cloud Monitoring) |
| Supabase | Org members, API keys (anon and service_role) |
| Slack | Workspace members, guest accounts |
| Backblaze | Application keys (name, permissions, bucket scope) |
3. Review Schedule
Section titled “3. Review Schedule”security-cadence.yml creates the GitHub Issue automatically on the 1st of each month. The automated access review script pulls a live roster from Google Workspace and cross-references all 12 systems.
| Cadence | Scope | Owner |
|---|---|---|
| Monthly | Full roster comparison across all in-scope systems, service account audit, stale account removal | CISO |
| Quarterly (Q1, Q2, Q3, Q4) | Deep review — includes service account rotation audit, API key review, privileged access justification | CISO + CTO |
4. Pre-Review: Pull Current Access State
Section titled “4. Pre-Review: Pull Current Access State”access_review.py automates the cross-referencing step. When the monthly GitHub issue is created by security-cadence.yml, the script pulls the live workforce roster from Google Workspace and cross-references against evidence artifacts using role-access-map.yaml. The manual steps below are retained as fallback and for quarterly deep reviews.
GitHub
Section titled “GitHub”Google Workspace
Section titled “Google Workspace”admin.google.com → Directory → Users; Admin roles; Security → API controls → App access control.
Cloudflare
Section titled “Cloudflare”dash.cloudflare.com → Manage Account → Members. Export member list.
CrowdStrike
Section titled “CrowdStrike”falcon.crowdstrike.com → Support → User Management. Also verify all active sensors belong to known devices.
1Password
Section titled “1Password”1password.com → Admin console → People and → Service Accounts.
Doppler
Section titled “Doppler”doppler.com → Workplace → People. Check project-level access and service tokens:
GCP IAM
Section titled “GCP IAM”console.cloud.google.com → IAM → IAM (meridian7-navi project). Review all role bindings, filter by Monitoring and Cloud Run roles. Export as CSV.
Supabase
Section titled “Supabase”supabase.com → org settings → Members and project → Settings → API. Rotate service_role key if not rotated in 90 days or if a user with access has departed.
meridian-seven.slack.com → Admin → Manage members. Note guest accounts.
Backblaze
Section titled “Backblaze”secure.backblaze.com → App Keys. Verify each key: name identifies purpose, capabilities are minimum required, bucket restriction set where possible, keys for departed personnel deleted.
5. Review Checklist
Section titled “5. Review Checklist”The automated review script (access_review.py) handles roster comparison and flags discrepancies. Human judgment is still required to assess whether a flagged user should retain access — the script surfaces anomalies but cannot determine business context.
For each system, confirm findings in the GitHub review issue:
- List all users, service accounts, and tokens with access (pre-populated by
access_review.pyfor supported systems). - Cross-reference against current team roster (automated; verify completeness).
- For each user:
- Still employed or contracted at Meridian Seven?
- Still requires access for their role?
- Access level is not over-provisioned?
- For each service account, token, or API key:
- Still in active use?
- Minimum required permissions?
- Human owner documented?
- Rotated within 90 days (or rotation not applicable)?
Finding Classification
Section titled “Finding Classification”| Finding Type | Required Action |
|---|---|
| Stale account | Revoke immediately |
| Over-privileged | Downgrade |
| Orphaned token | Audit usage, rotate or delete |
| Expired rotation | Rotate immediately |
| Undocumented access | Verify identity or remove |
6. Remediation
Section titled “6. Remediation”Remediate all findings before closing the review. For each finding:
- Take action (revoke, downgrade, rotate, document).
- Note the action and timestamp in the GitHub issue.
- For Doppler secret rotation:
doppler secrets set SECRET_NAME -p m7-security -c prd
7. Evidence Collection
Section titled “7. Evidence Collection”Review automation/reports/status.json — all access-related FAILs must be resolved before closing. Commit any manually collected evidence to evidence/monthly-access-reviews/YYYY/.
8. Sign-Off
Section titled “8. Sign-Off”Review is complete when:
- All in-scope systems reviewed against current roster
- All stale accounts removed
- All over-privileged access corrected
- All orphaned tokens documented, rotated, or deleted
- Evidence collection run and committed
- Verify shows no access-related FAILs
CISO closes the GitHub issue with:
9. Automation Support
Section titled “9. Automation Support”The system-verify.yml workflow runs nightly at 05:00 UTC and posts to Slack on failure. Access-related failures must be triaged within 24 hours. The automation checks configuration state but does not assess whether individual users should retain access — that judgment belongs to the reviewer.
10. Related Documents
Section titled “10. Related Documents”- Access Control Policy
- Operations Runbook — Monthly Access Review (Section 3)
- Information Security Policy
Meridian Seven — Confidential